USN-1308-1: bzip2 vulnerability

Publication date

14 December 2011

Overview

Executables compressed by bzexe could be made to run programs as your login.


Packages

  • bzip2 - high-quality block-sorting file compressor - utilities

Details

vladz discovered that executables compressed by bzexe insecurely create
temporary files when they are ran. A local attacker could exploit this issue to
execute arbitrary code as the user running a compressed executable.

vladz discovered that executables compressed by bzexe insecurely create
temporary files when they are ran. A local attacker could exploit this issue to
execute arbitrary code as the user running a compressed executable.

Update instructions

In general, a standard system update will make all the necessary changes to the bzexe utility. If you have previously used bzexe to compress any executables, they need to be recompressed using the updated version.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
8.04 hardy bzip2 –  1.0.4-2ubuntu4.2
11.10 oneiric bzip2 –  1.0.5-6ubuntu1.11.10.1
11.04 natty bzip2 –  1.0.5-6ubuntu1.11.04.1
10.10 maverick bzip2 –  1.0.5-4ubuntu1.1
10.04 lucid bzip2 –  1.0.5-4ubuntu0.2

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›